What’s the Plan? A How-To Guide for Preparing Your Cyber Incident Response Program

Last week, we kicked off a four-part blog series with our strategic partner, Alert Logic, that has a focus on the importance of cloud security for Digital Businesses. This week, Alert Logic has contributed the following blog post as a guide to help digital businesses prepare for—and respond to—cyber incidents.

Evaluating your organization’s cyber security incident response readiness is an important part of your overall security program. But responding to a cyber security incident effectively and efficiently can be a tremendous challenge for most. In most cases, the struggle to keep up during an incident is due to either of the following:

The cyber incident response plan has been “shelf-ware” for too long

The plan hasn’t been practiced by the incident response team.

Unfortunately, most organizations view cyber incident response as a technical issue—they assume that if a cyber incident response plan is in place and has been reviewed by the “techies,” then the plan is complete. In reality, all these organizations have is a theoretical cyber incident response plan, one with no ing or validation. Cyber incident response plans are much more than a technical issue. In the end, they are about people, process, communication, and even brand protection.

How to ensure your cyber incident response plan works

The key to ensuring your cyber incident response plan works is to practice your plan. You must dedicate time and resources to properly the plan. Cyber incident response is a “use or lose” skill that requires practice. It’s similar to an athlete mastering a specific skill; the athlete must complete numerous repetitions to develop muscle memory to enhance performance. In the same way, the practice (repetitions) of ing your cyber incident response plan will enhance our team’s performance during a real incident.

Steps for ing your plan effectively

Step 1: Self-Assessment and Basic Walk-Through

An effective methodology to your cyber incident response plan begins with a self-assessment and simple walk-through of the plan with limited team members. Steps should include:

The incident response manager reads through the plan, using the details of a recent data breach to follow the plan. The manager also identifies how the incident was discovered as well as notification processes.

The team follows the triage, containment, eradication, and forensics stages of the plan, identifying any gaps.

The incident response manager walks through the communications process along the way, including recovery and steady-state operations.

The team documents possible modifications, follow-up questions, and clarifications that should be added to the plan.

Step 2: All Hands Walk-Through

The next step to a self-assessment is the walk-through with the entire incident response team. This requires an organized meeting in a conference room and can take between 2-4 hours, in which a scenario (recent breach) is used to walk through the incident response document. These working sessions are ideal to fill in the gaps and clarify expectations for things like detection, analysis, required tools, and resources. Organizations with successful incident response plans will also include their executive teams during this type of . The executive team participation highlights priorities from a business and resource perspective and is less focused on the technical aspects of the incident.

Step 3: Live Exercise

The most important step in evaluating your incident response plan is to conduct a live exercise. A live exercise is a customized training event for the purpose of sharpening your incident response teams’ skills in a safe, non-production environment. It isn’t a penetration ; it’s an incident response exercise designed to your team’s ability to adapt and execute the plan during a live cyber attack. It’s essentially the equivalent to a pre-season game—the team participates, but it doesn’t count in the win/loss column. The value of a live exercise is the plan evaluation and team experience. The lessons learned usually prove to be the most valuable to the maturation of your cyber incident response plan.

Ultimately, preparedness is not just about having an incident response plan; it’s about knowing the plan, practicing the plan, and understanding it’s a work in progress. The development of an excellent incident response plan includes involvement and validation from the incident response team as well as a commitment to a repetitive cycle of practice and refinement.

Learn more about 2W Managed Cloud Security and how our partnership with Alert Logic can ensure your environment’s security.